Closed Bug 55070 Opened 24 years ago Closed 18 years ago

XBL needs simple defense against D.O.S./infinite recursion

Categories

(Core :: XBL, defect, P3)

Product:
Core
Component:
XBL
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Future

People

(Reporter: brendan, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: testcase, Whiteboard: [rtm-])

Attachments

(7 files, 2 obsolete files)

testcase, using extends, crashes on load
641 bytes, application/xhtml+xml
Details
recursive cloneNode case
720 bytes, application/xhtml+xml
Details
Testcase #4
639 bytes, application/xhtml+xml
Details
Testcase #5
467 bytes, application/xhtml+xml
Details
Testcase #6
639 bytes, application/xhtml+xml
Details
Screenshot of error messages
41.72 KB, image/png
Details
Patch rev. 2
11.63 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
Denial of service, or more likely, XBL author error, can lead to infinite 
recursion and other runaway conditions.  A few obvious ones: two bindings that 
extend each other; a bindingattached handler that clones a node and inserts it 
in the document, causing the same handler to run again, cloning another node, 
etc.

/be
From hyatt's posting to m.xpcom:

div {
  -moz-binding: url(myfile.xml#mybinding);
}

<binding id="mybinding">
  <content>
    <html:div/>
  </content>
</binding>

/be

    
    

    
  
Ick. Cancel out of that cloneNode testcase after letting it go ~6
recursions deep. When you subsequently do 'File->Quit', on Windows (but
not Linux), mozilla-the-process never fully dies. It seems to be exercising
a bug in Win2k (both trunk and PR3-opt builds). 

When you break on the zombie process in the debugger, it says "DBG: Break 
command failed within 3 seconds. DBG: Potential deadlock. Soft broken.", and 
the 'stack' is pointing at OLE32.dll, USER32.DLL, and NTDLL.DLL.

    
    

    
  
nominate for rtm, cc mstoltz

Keywords: rtm

    
    

    
  
rtm-/future

Whiteboard: [rtm-]
Target Milestone: --- → Future

    
    

    
  
*** Bug 167148 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 271483 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 287303 has been marked as a duplicate of this bug. ***

    
    

    
  


  
I accidentally filed bug 350754, which is a duplicate of this one, but someone made a fix for that, for a certain type of xbl recursion.
This is another case of recursion in xbl, which isn't fixed by that patch.

Talkback ID: TB23024067K
NS_EscapeURL  [mozilla\xpcom\io\nsescape.cpp, line 440]

    
    

    
  


  
This is the recursive cloneNode case, just one page for easy viewing.
It doesn't crash Mozilla, it just freezes and slowly eats all available memory.

        Attachment #16090 -
        Attachment is obsolete: true
Keywords: testcase
Assignee: hyatt → general
QA Contact: jrgmorrison → ian

    
    

    
  
So the "recursive cloneNode" thing is not something we can do much about, really... that could be done without XBL too -- just keep cloning nodes.

The other we should fix; probably with a check similar to bug 350754.
Depends on: 350754

    
    

    
  

      
      
      
      

        Attached file
          
        Testcase #4
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        Testcase #5
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        Testcase #6
      

    


  

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch rev. 1 (obsolete)
        — Splinter Review
      

    


  
Something like this perhaps?

        Attachment #241729 -
        Flags: review?(bzbarsky)

    
    

    
  


  

    
    

    
  
Comment on attachment 241729 [details] [diff] [review]
Patch rev. 1

>Index: dom/locales/en-US/chrome/layout/xbl.properties
>+CircularExtendsBinding=Extending the XBL binding "%S" with "%S" would make it circular

Maybe more like:

  Extending the XBL binding "%S" with "%S" would lead to it extending iteself.

or something?

>Index: content/xbl/src/nsXBLService.cpp

>+  aDontExtendURIs.AppendElement(aURI);

Need to return error if this fails.

>@@ -1008,27 +1022,48 @@ >+          PRBool equal;
>+          if (NS_FAILED(uri->Equals(bindingURI, &equal)) || equal) {

I think if the Equals() call fails we should just return that error instead of reporting the recursion error message to the console.

>Index: content/xbl/src/nsXBLService.h
>+  nsresult GetBinding(nsIContent* aBoundElement, nsIURI* aURI,
>+                      PRBool aPeekFlag, PRBool* aIsReady,
>+                      nsXBLBinding** aResult,
>+                      nsVoidArray& aDontExtendURIs);

Document, please.  And is there a reason not to be using nsTArray<nsIURI>& for the array?  And probably pre-initi it to a size of 8 (or whatever measurements show?) since we only use it on the stack and generally don't have too deep a extends tree.

        Attachment #241729 -
        Flags: review?(bzbarsky) → review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch rev. 2Splinter Review
      

    


  
(In reply to comment #17)
> Maybe more like:
>   ... would lead to it extending iteself.

Fixed.

> >+  aDontExtendURIs.AppendElement(aURI);
> Need to return error if this fails.

Fixed.

> I think if the Equals() call fails we should just return that error
> instead of reporting the recursion error message to the console.

Fixed. Also fixed IsAncestorBinding() in the same way (bug 350754).

> ... is there a reason not to be using nsTArray<nsIURI>& for the array?

Yes, nsTArray<E> requires that E has a copy ctor and nsIURI is abstract.
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/xpcom/glue/nsTArray.h&rev=1.22&root=/cvsroot&mark=185#178
I changed nsVoidArray& to nsTArray<nsIURI*>& instead.

> ... pre-init it to a size of 8 (or whatever measurements show?)

Measuring: starting Firefox, open Preferences, open DOMI.
Distribution of 1361 GetBinding() calls gave these array sizes:
1: 514
2: 160
3: 360
4: 142
5: 136
6: 49
none had 7 or more. (Just starting Fx also gave a 1..6 distribution.)

        Attachment #241729 -
        Attachment is obsolete: true

        Attachment #242320 -
        Flags: superreview?(bzbarsky)

        Attachment #242320 -
        Flags: review?(bzbarsky)

    
    

    
  
> I changed nsVoidArray& to nsTArray<nsIURI*>& instead.

Er, that's what I meant.  nsTArray<nsIURI> was a typo.  ;)

    
    

    
  
Comment on attachment 242320 [details] [diff] [review]
Patch rev. 2

>Index: content/xbl/src/nsXBLService.cpp
>+nsXBLService::GetBinding(nsIContent* aBoundElement, nsIURI* aURI, 
>+  NS_ENSURE_TRUE(aDontExtendURIs.AppendElement(aURI) != nsnull,

Shouldn't need the != nsnull thing there, right?

With that nit, looks great!

r+sr=bzbarsky

        Attachment #242320 -
        Flags: superreview?(bzbarsky)

        Attachment #242320 -
        Flags: superreview+

        Attachment #242320 -
        Flags: review?(bzbarsky)

        Attachment #242320 -
        Flags: review+

    
  
Assignee: general → mats.palmgren

    
    

    
  
(In reply to comment #20)
> >+  NS_ENSURE_TRUE(aDontExtendURIs.AppendElement(aURI) != nsnull,
> 
> Shouldn't need the != nsnull thing there, right?

Right, I was thinking of bug 340244 but NS_ENSURE_* doesn't suffer from that.

Checked in to trunk (without the "!= nsnull") at 2006-11-08 17:58 PDT.

-> FIXED
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
  
Flags: in-testsuite?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: